unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob 4806ecaae92611bcd85700b069b780af7efde97a 2662 bytes (raw)
name: gnu/packages/patches/cracklib-CVE-2016-6318.patch 	 # note: path name is non-authoritative(*)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

 
Fix CVE-2016-6318.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318

Patch copied from Red Hat:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6318
https://bugzilla.redhat.com/attachment.cgi?id=1188599&action=diff

It is not safe to pass words longer than STRINGSIZE further to cracklib
so the longbuffer cannot be longer than STRINGSIZE.
diff -up cracklib-2.9.0/lib/fascist.c.longgecos cracklib-2.9.0/lib/fascist.c
--- cracklib-2.9.0/lib/fascist.c.longgecos	2014-02-06 16:03:59.000000000 +0100
+++ cracklib-2.9.0/lib/fascist.c	2016-08-08 12:05:40.279235815 +0200
@@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c
     char gbuffer[STRINGSIZE];
     char tbuffer[STRINGSIZE];
     char *uwords[STRINGSIZE];
-    char longbuffer[STRINGSIZE * 2];
+    char longbuffer[STRINGSIZE];
 
     if (gecos == NULL)
 	gecos = "";
@@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c
     {
 	for (i = 0; i < j; i++)
 	{
-	    strcpy(longbuffer, uwords[i]);
-	    strcat(longbuffer, uwords[j]);
-
-	    if (GTry(longbuffer, password))
+	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
 	    {
-		return _("it is derived from your password entry");
-	    }
-
-	    strcpy(longbuffer, uwords[j]);
-	    strcat(longbuffer, uwords[i]);
+		strcpy(longbuffer, uwords[i]);
+		strcat(longbuffer, uwords[j]);
 
-	    if (GTry(longbuffer, password))
-	    {
-		return _("it's derived from your password entry");
+		if (GTry(longbuffer, password))
+		{
+		    return _("it is derived from your password entry");
+		}
+
+		strcpy(longbuffer, uwords[j]);
+		strcat(longbuffer, uwords[i]);
+
+		if (GTry(longbuffer, password))
+		{
+		   return _("it's derived from your password entry");
+		}
 	    }
 
-	    longbuffer[0] = uwords[i][0];
-	    longbuffer[1] = '\0';
-	    strcat(longbuffer, uwords[j]);
-
-	    if (GTry(longbuffer, password))
+	    if (strlen(uwords[j]) < STRINGSIZE - 1)
 	    {
-		return _("it is derivable from your password entry");
+		longbuffer[0] = uwords[i][0];
+		longbuffer[1] = '\0';
+		strcat(longbuffer, uwords[j]);
+
+		if (GTry(longbuffer, password))
+		{
+		    return _("it is derivable from your password entry");
+		}
 	    }
 
-	    longbuffer[0] = uwords[j][0];
-	    longbuffer[1] = '\0';
-	    strcat(longbuffer, uwords[i]);
-
-	    if (GTry(longbuffer, password))
+	    if (strlen(uwords[i]) < STRINGSIZE - 1)
 	    {
-		return _("it's derivable from your password entry");
+		longbuffer[0] = uwords[j][0];
+		longbuffer[1] = '\0';
+		strcat(longbuffer, uwords[i]);
+
+		if (GTry(longbuffer, password))
+		{
+		    return _("it's derivable from your password entry");
+		}
 	    }
 	}
     }

debug log:

solving 4806eca ...
found 4806eca in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).